bvstone

SSL Handshake Errors with GETURI, MAILTOOL and GreenTools Products

Posted:

SSL Handshake Errors with GETURI, MAILTOOL and GreenTools Products

UPDATE: IBM Has Issued PTFs That May Solve This Issue:

The following PTFs have been issued that should solve this issue.  The previously listed PTFs didn't seem to solve the issue.  But as of 2/10/2022 these have been tested by myself and seem to work:

7.3 - MF69527
7.4 - MF69523

SSL/TLS Handshake Errors

Recently IBM i users (and myself) that use applications that communicate over SSL/TLS with sockets (such as GETURI, MAILTOOL, G4G, G4MS, HTTPAPI, etc) have run into some communication issues.  The two errors errors in question are:

  • Error performing SSL Handshake.  RC(-11) or RC(-16) PeerCertRC(0) - For the base IBM SSL APIs

  • Error performing SSL handshake.  RC(415) errno(0) - When using the GSKit SSL APIs

This error is random and most of the time is resolved by making the request again.  We understand this solution isn't ideal and have been trying to work with IBM to find a proper solution.

I did open a case with IBM (as have others regarding the same issue) but we were unable to find the issue's main cause. Although with some trial and error we were able to find a couple solutions that did work for most endpoints for the time being.

I also started a conversation on Stack Overflow and have received one reply that may help us down the right path.  It makes sense if Google says a cipher isn't compatible that it would cause problems, but again I don't know why Google wouldn't just ignore that cipher as there are normally many more to choose from in the SSL handshake negotiation.

Solution 1: Remove *TLSV1.3 from system value QSSLPCL

This solution seemed to solve the problem for myself, although I didn't perform as many tests as the other options.  For some shops this is not an option for security reasons, but if it is, give it a try to see if it helps.  I don't know of any endpoints that require only TLS v1.3 at this time, but that may not be the case for you.

Solution 2: Remove Specific SSL Ciphers From System Value QSSLCSL

The following ciphers were removed the from the system cipher list (system value QSSLCSL) after changing system value QSSLCSLCTL to *USRDFN.

  • *ECDHE_RSA_AES_256_GCM_SHA384 -  this one seems to cause problems with Google/GMail and Microsoft/Office 365.

  • *AES_256_GCM_SHA384 - this one seems to cause problems with GoDaddy.  

Your situation may be a different cipher.  I have another customer now getting this error communicating with a server using a new Amazon root CA.  So, it's important to open a call with IBM when you have this problem so they can do a trace and hopefully find out which cipher may be an issue, or possibly find a real answer/solution to this problem.

No IPL is required after making any of these changes.       

After removing these ciphers from my system cipher list, all of the errors I was experiencing stopped.  In your case, it could be a different Cipher that is causing the problem depending on the endpoint that is having the issue.  Removing these ciphers should not cause any issues with other applications, and in fact on the Stack Overflow post I made someone actually commented that the one of the ciphers isn't compatible.

Final Actions:

Step 1: Contact IBM support and let them know you're having this issue.  The more people that contact them, the more they hopefully will be willing to dig deeper into the issue or issue a PTF that removes specific ciphers that seem to be causing the problem from the *OPSYS SSL cipher list for the QSSLCSLCTL system value.  I suspect that as time goes on more vendors, and even IBM themselves, will encounter this issue making it even more critical to fix.

Step 2: Try removing the specific ciphers from the SSL list mentioned above.  This completely resolved the issue for me.  I know that sometimes this type of thing can make you wonder if something else will break, but it is most likely what IBM will suggest as well.

Step 3: Make sure you have the latest version of MAILTOOL installed.  We have added a "retry" option to MAILTOOL if this specific error occurs.

Step 4: For GETURI, and the GreenTools products, you may need to add retries to your code as well when this specific error occurs.

Step 5:  If you learn any information that may help, I have opened a question on Stack Overflow that I am hoping if the right eyes see it, we'll get an answer.  If you have any friends at Google, Microsoft, or GoDaddy, myself and IBM are willing to work with them to figure out the issue.

Thank you, and we apologize for the inconvenience this issue may have caused.


 


Last edited 02/11/2022 at 07:55:58



Latest Posts:

What Objects Should I Omit from Replication to Ensure My License Keys Work on my HA/DR System? What Objects Should I Omit from Replication to Ensure My License Keys Work on my HA/DR System?
Posted by June 27, 2022
BVSTools >> BVSTools Software Discussion
GreenTools for Google Apps (G4G) v15.00 Now Offers Functions to Bypass Registration Command and BVSTools Landing Page GreenTools for Google Apps (G4G) v15.00 Now Offers Functions to Bypass Registration Command and BVSTools Landing Page
Posted by May 3, 2022
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
How Do I Switch From MAILTOOL Plus to GreenTools for Google or Microsoft Office 365? How Do I Switch From MAILTOOL Plus to GreenTools for Google or Microsoft Office 365?
Posted by April 18, 2022
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
PTFs Issued for SSL/TLS Issues PTFs Issued for SSL/TLS Issues
Posted by March 12, 2022
IBM Power Systems >> PTF Watch
Google Dropping Support for Google Dropping Support for "Less Secure Apps" May 30th, 2022. What Does This Mean for Your IBM i Email?
Posted by March 4, 2022
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
Have You Installed a New Version of MAILTOOL and Now Things Are Acting Different?  Check the Command Defaults! Have You Installed a New Version of MAILTOOL and Now Things Are Acting Different? Check the Command Defaults!
Posted by February 28, 2022
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
Using MAILTOOL Plus on V7R1, or Any OS Using TLS 1.1 or Older Using MAILTOOL Plus on V7R1, or Any OS Using TLS 1.1 or Older
Posted by January 27, 2022
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
BVSTools ILE Functions Being Updated to Remove Hashtag (#) from Function Names BVSTools ILE Functions Being Updated to Remove Hashtag (#) from Function Names
Posted by December 30, 2021
BVSTools >> BVSTools Announcements
GETURI v12.00 Released Removing Beginning # (Hashtag) From Function Names GETURI v12.00 Released Removing Beginning # (Hashtag) From Function Names
Posted by December 28, 2021
BVSTools >> BVSTools Announcements >> Get URI (GETURI) Specific Announcements
Is any of BVSTools Software Affected by the log4j exploit? Is any of BVSTools Software Affected by the log4j exploit?
Posted by December 20, 2021
BVSTools >> BVSTools Software Discussion
GreenTools for Microsoft Apps (G4MS) Updated to Allow Downloads, Deletes, and Sharing of Files GreenTools for Microsoft Apps (G4MS) Updated to Allow Downloads, Deletes, and Sharing of Files
Posted by December 17, 2021
BVSTools >> BVSTools Announcements >> GreenTools for Microsoft Apps (G4MS) Specific Announcements
SSL Handshake Errors with GETURI, MAILTOOL and GreenTools Products SSL Handshake Errors with GETURI, MAILTOOL and GreenTools Products
Posted by October 18, 2021
BVSTools >> BVSTools Software Discussion
MAILTOOL Updated to Retry Sending when GSK SSL Handshake Error 415 (GSK_ERROR_BAD_PEER) is Encountered MAILTOOL Updated to Retry Sending when GSK SSL Handshake Error 415 (GSK_ERROR_BAD_PEER) is Encountered
Posted by August 19, 2021
BVSTools >> BVSTools Announcements >> eMail Tool (MAILTOOL) Specific Announcements
MAILTOOL Updated to Allow List-Unsubscribe and User Defined Headers MAILTOOL Updated to Allow List-Unsubscribe and User Defined Headers
Posted by August 13, 2021
BVSTools >> BVSTools Announcements >> eMail Tool (MAILTOOL) Specific Announcements
AWS signing process in as400 AWS signing process in as400
Posted by August 13, 2021
Programming >> Web Programming

Reply




Copyright 1983-2020 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).